The date was June 26th 2017. Cisco’s CEO, Chuck Robbins, was delivering his keynote at Cisco Live US in Las Vegas. Out comes a very special guest, Apple’s CEO, Tim Cook, who sat on a stool next to Chuck & they announced a few things to the world that were coming out of the Apple|Cisco partnership.

Tim & Chuck at Cisco Live 2017

One such announcement was about a jointly built security solution named the Cisco Security Connector (CSC) for iOS, and that announcement was met with loud cheers from yours truly, since I had been working on that solution for over a year and was extremely excited for it finally going public.

The Cisco Security Connector for iOS provides net-new capabilities to the world’s most secure mobile OS. It provides the ability to protect the end user from accidental mistakes (like clicking on phishing links), enforce content filtering controls anywhere in the world through any connection and it provides the security and incident response team with visibility into the traffic from all iOS apps and where those apps were communicating to and the ability to block and control that traffic.

While I love to talk about CSC, this is not a CSC blog entry. That will come later. This blog post is about an unofficial workaround to meet the needs that many CSC customers have been asking me for.

What the rub?

The new security functionality that CSC leverages was added to Apple’s iOS 11, but it is for “supervised devices” only. Simply put, when a device is put into “supervised mode”, it is stating the device has been provided by the organization and is not a personally owned device – therefore extra levels of security may be enabled.

Some examples of features that are only available to iOS devices in supervised mode are:

Global HTTP proxy

Built-in content filter

Single app mode

Always-on VPN

Preventing hand-off

Supervised mode for iOS is very common for devices that are purchased through Apple’s volume purchase program (VPP) and they have a fantastic service known as the Device Enrollment Program (DEP) where the serial number of the devices purchased by your organization are linked to your org. With this service, any brand-new device that was pre-registered with DEP can be taken out of the box, powered on & when that new device talks to Apple’s cloud, it is immediately pushed a configuration that ties the device to the organization’s device manager.

Note: I can personally vouch that the DEP solution works beautifully, and I am including an anecdotal true story about DEP at the end of this blog post.

While device supervision is perfect for brand-new devices; it does provide some challenges to organizations who are trying to convert existing devices. The official position stated by Apple is that an iOS device must be wiped when switching from the default mode to supervised mode. This is ultimately a way to protect the privacy of the end user; so that anything personal from a consumer device is not maintained once the organization takes full control of the device in supervised mode.

So, officially, you must wipe the device to switch it to supervised mode & then install the Cisco Security Connector for iOS. Even if you try to backup the endpoint > then wipe it & convert to supervised mode > then restore the backup, it won’t work. The restore will convert the device back to non-supervised.

An unorthodox approach to accomplish the seemingly impossible

Now that you are ready to beat your head against the wall & give up, let me instill a small glimmer of hope. There is an unsupported workaround to make the restore work.

The backup must be from a different iOS device. If the backup is from a device with the same serial number, the restore will not succeed. In other words, iOS must think this is a migration from one device to another, instead of a backup & restore of the same device.

You could backup the original device > restore it to another iOS device. Then backup that second iOS device. Here are those steps:

Note: your devices will either need a SIM card or be unlocked/activated if they are cellular capable. A working SIM card is not required, and Wi-Fi connectivity is often all you need to prove the device is activated.

Ensure both devices are running the exact same (read: latest) version of iOS.

Turn off Find My iPhone on the original device that is non-supervised. It can MDM managed already, that doesn’t matter.

Do an iCloud backup of the phone with Find My iPhone off.

Restore that iCloud backup to a second iOS device.

Turn off Find My iPhone on the second device that is non-supervised. It can MDM managed already, that doesn’t matter.

Do an iCloud backup of the second device with Find My iPhone off.

Take the original phone and connect it to a mac with Apple Configurator 2.x installed (latest version).

Tell configuration tool to “prepare” your phone. Do not uncheck any of the setup steps. You will be tempted to do this, since disabling first boot steps will save you time, etc. Do not do this. Also, don’t tell configurator to automatically enroll your phone in MDM. This feature, best I can tell, only works if your phone is DEP enrolled.

Configurator tool will completely wipe the phone and install a clean version of whatever OS version is already on that phone.

After “prep” the phone will bootup and be in supervised mode and will prompt for the usual “brand new iPhone setup” stuff.

You will get to a step (after Wi-Fi setup) where you are asked to setup this iPhone as a new device or restore a backup from iCloud / iTunes. Choose “restore a backup from iCloud”

When the restore is done (you will know because the “restoring” status indicator will go away) press the home button once to wake up the phone. Do not select anything on the screen, finish setup etc. Do nothing on the iOS device at this point.

Back on your mac (you may have left the phone connected to your mac via USB this whole time, with configurator tool running) the phone will still show up but only if you select “all phones” or “unsupervised phones”; select your phone and (right click) choose “Update”.

This “update” should be quick, and within moments your phone should return to the “springboard”. Go into settings and at the top you should see your “This iPhone is supervised and managed by… [whatever you configured it to say in Apple Configurator 2 tool]”.

Done! You now have a supervised iOS device with a restore of your pre-supervised device. At this point you can (manually) enroll the phone in your MDM, so you can deploy Cisco Security Connector, etc. You may also turn Find my Phone back on, etc.

One last thing. If you ever run into Jeff Fanelli from Cisco, thank him for this wonderful trick.

-Aaron

Anecdotal true story about DEP

I received a phone call from a very angry man back in April of 2018 from a very angry man who had recently purchased a used macBook from eBay. He found me because I spoke at Jamf Nation User Conference (JNUC) about how Cisco uses Jamf to manage over 30,000 macOS devices.

He was furious because he purchased this macBook & “apparently” Cisco was not following “Apple’s very specific stipulation in the Apple Device Enrollment Program Agreement”, specifically:

2.5 Device Transfer

Institution will not resell any Authorized Devices with MDM Enrollment Settings enabled and agrees to remove such Devices from MDM management in the Program web portal prior to reselling them or transferring them to non-Authorized Users in any way.

You see, what was happening is: this guy wiped and restored the macBook with a clean install of macOS. However, every time it booted it would talk to Apple’s cloud & be provisioned with a profile via DEP that forced this device to speak to our Jamf MDM – which of course he wasn’t authorized to do – and therefore the device was completely useless to him.

I explained to the gentleman how the DEP program works, that his device might possibly be stolen, and he argued that it was a legal sale on eBay, etc. I explained that I would not give out the direct contact information of our endpoint management team members but would forward his information along.

Low and behold: the device had been reported stolen on March 28th, 2018. Not even a full month before this man contacted me. Our endpoint management team took it from there & recovered the stolen item.

Like this:

LikeLoading...

Related

Published by Loxx

Aaron Woland, CCIE No. 20113, is a Principal Engineer in Cisco’s Advanced Threat Security group and works with Cisco’s Largest Customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security and futures.
Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards, and standards body working groups. Prior to joining Cisco, Aaron spent 12 years as a Consultant and Technical Trainer.
Aaron is the author of: both editions of the Cisco ISE for BYOD and Secure Unified Access book; the All-in-one Cisco ASA Firepower Services, NGIPS and AMP book; the CCNP Security SISAS 300-208 Official Cert Guide; the CCNA Security 210-260 Complete Video Course; and many published white papers and design guides.
Aaron is one of only five inaugural members of the Hall of Fame Elite for Distinguished Speakers at Cisco Live, and is a security columnist for Network World where he blogs on all things related to Security. His other certifications include: GHIC, GCFE, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP and many other industry certifications.
You can follow Aaron on Twitter: @aaronwoland
View all posts by Loxx